Information Security Chapter 3

Examples of specific security responsibilities

-Delete redundant/guest accounts -Train system administrators (specific training) -Train everybody (general training) -Install virus-scanning software -Install IDS/IPS and network-scanning tools

Examples of specific purposes of countermeasures

-Fix known exploitable software flaws -Develop and enforce operational procedures and access controls (data and system) -Provide encryption capability -Improve physical security -Disconnect unreliable networks

Loss expectancy calculation

1. Calculate the asset value (AV) 2. Calculate the exposure factor (EF) 3. Calculate the single loss expectancy (SLE) 4. Determine how often a loss is likely to occur every year 5. Determine annualized loss expectancy (ALE)

Risk Management Process Steps

1. Identify Risks 2. Assess and Prioritize risks 3.Plan Risk Response 4.Implement Risk Responses 5.Monitor and Control Risk Responses

Technical Control

A control that is carried out or managed by a computer system

Risk register

A list of identified risks. Contains a description of the risk, the expected impact if the associated event occurs, the probability of the event's occurring, steps to mitigate the risk, steps to take should the event occur, and Rank of the risk

Zero day

A new and previously unknown attack for which there are no current specific defenses. "Zero day" refers to the newness of an exploit, which may be known in the hacker community for days or weeks. When such an attack occurs for the first time, defenders are given zero days of notice (hence the name).

Business Continuity Plan (BCP)

A plan that makes sure your company continues to operate in the face of disruption caused by a realized risk

Administrative Controls

A set of parameters involved in the process of developing and ensuring compliance with policy and procedures.

Replay attacks

A type of attack in which a hacker uses a network sniffer to capture network traffic and then retransmits that traffic back on to the network at a later time. These attacks often focus on authentication traffic in the hope that retransmitting the same packets that allowed the real user to logon to a system will grant the hacker the same access.

Risk Response Plan controls

Administrative controls: Manage the activity phase of security--the things people do Activity phase controls: -Either administrative or technical -Correspond to the life cycle of a security program

countermeasures

An action taken to offset or address a specific threat.

Man-in-the-middle attacks

An attack in which the attacker gets between two parties and intercepts messages before transferring them on to their intended destination.

Malicious attack

An attempt to exploit a vulnerability on an IT hardware asset or application.. Include Fabrications, interceptions, interruptions, modifications

Web Application Attacks (1/2)

Arbitrary/remote code execution—Having gained privileged access or system administration rights access, the attacker can run commands or execute a command at will on the remote system. Buffer overflow—Attempting to push more data than the buffer can handle, thus creating a condition where further compromise might be possible. Client-side attack—Using malware on a user's workstation or laptop, within an internal network, acting in tandem with a malicious server or application on the Internet (outside the protected network). Cookies and attachments—Using cookies or other attachments (or the information they contain) to compromise security. Cross-site scripting (XSS)—Injecting scripts into a web application server to redirect attacks back to the client. This is not an attack on the web application but rather on users of the server to launch attacks on other computers that access it. Cross-site request forgery (CSRF)—Leveraging an authenticated user session in a way that causes malicious code stored on a third-party site to cause a valid user to send malicious requests to the target website. Directory traversal/command injection—Exploiting a web application server; gaining root file directory access from outside the protected network; and executing commands, including data dumps. Header manipulation—Stealing cookies and browser URL information and manipulating the header with invalid or false commands to create an insecure communication or action. Integer overflow—Creating a mathematical overflow that exceeds the maximum size allowed. This can cause a financial or mathematical application to freeze or create a vulnerability and opening.

Social engineering attacks

Authority Consensus/social proof Dumpster diving Familiarity/liking Hoaxes Impersonation Intimidation Scarcity Shoulder surfing Smishing Tailgating Trust Trusted users Urgency Vishing Whaling

Wireless Network Attacks

Bluejacking—Hacking and gaining control of the Bluetooth wireless communication link between a user's earphone and smartphone device. Bluesnarfing—Packet sniffing communications traffic between Bluetooth devices. Evil twin—Faking an open or public wireless network to use a packet sniffer on any user who connects to it. IV attack—Modifying the initialization vector of an encrypted IP packet in transmission in hopes of decrypting a common encryption key over time. Jamming/interference—Sending radio frequencies in the same frequency as wireless network access points, to jam and interfere with wireless communications, and disrupting availability for legitimate users. Near field communication attack—Intercepting, at close range (a few inches), communications between two mobile operating system devices. Packet sniffing—Capturing IP packets off a wireless network and analyzing the TCP/IP packet data using a tool such as Wireshark ® . Replay attacks—Replaying an IP packet stream to fool a server into thinking it is being authenticated. Rogue access points—Using an unauthorized network device to offer wireless availability to unsuspecting users. War chalking—Creating a map of the physical or geographic location of any wireless access points and networks. War driving—Physically driving around neighborhoods or business complexes looking for wireless access points and networks that broadcast an open or public network connection.

Identifying Risks

Brainstorming Surveys Interviews Working Groups Checklists Historical information

Training and Policies

Conduct regular cybersecurity training for staff. Establish strict policies for system usage and data handling

Denial or Destruction Threats

Denial or destruction threats make assets or resources unavailable or unusable. Any threat that destroys information or makes it unavailable violates the availability tenet of information security. A denial or destruction attack is successful when it prevents an authorized user from accessing a resource, either temporarily or permanently

Life cycle of a security program

Detective controls, Preventive controls, Corrective controls, Deterrent controls, Compensating controls

Risk management principles

Do not spend more to protect an asset than it is worth. Every countermeasure requires resources to implement and therefore should be aligned with a specific risk. A countermeasure that doesn't mitigate a specific identified risk is a solution seeking a problem; it is difficult to justify the cost.

Personnel safety plan examples

Escape plans, escape routes, drills, control testing

Responses to each positive risk

Exploit, Share, Enhance, Accept

Importance of finances and financial data

Financial assets are among highest-profile assets in any organization, loss of financial assets due to malicious attacks is a worst case scenario for all organization, represents significant physical loss, and can have long-term effects on a company's reputation and brand image

Physical Security Examples

Heating, ventilating, and air conditioning (HVAC), Fire suppression, EMI shielding, Lighting, Guards, Fencing, Signs, Barricades, Mantraps, Access lists, Biometrics, Proximity readers

control

Includes both safeguards and countermeasures. Actions taken to limit or constrain behavior

Residual calculations

Inherent risk: The risk before any controls are are implemented. Suppose a company identifies a risk of a data breach with a potential loss of $100,000. Controls implemented: The company then implements security measures (like firewalls, encryption, and employee training) which are estimated to reduce the potential loss by 70% Residual risk = Inherent risk - Reduction due to controls Reduction due to controls = potential loss % of inherent risk

Interviews

Interviews, held in either group settings or one on one, can be an effective approach to gather details on risks from the interviewee's perspective.

Web Application Attacks (2/2)

Lightweight Directory Access Protocol (LDAP) injection—Creating fake or bogus ID and authentication LDAP commands and packets to falsely ID and authenticate to a web application. Local shared objects (LSO)—Using Flash cookies (named after the Adobe Flash player), which cannot be deleted through the browser's normal configuration settings. Flash cookies can also be used to reinstate regular cookies that a user has deleted or blocked. Malicious add-ons—Using software plug-ins or add-ons that run additional malicious software on legitimate programs or applications. SQL injection—Injecting Structured Query Language (SQL) commands to obtain information and data in the back-end SQL database. Watering-hole attack—Luring a targeted user to a commonly visited website on which has been planted the malicious code or malware, in hopes that the user will trigger the attack with a unknowing click. XML injection—Injecting XML tags and data into a database in an attempt to retrieve data.

Checklists

Many organizations develop checklists of risks for either their own use or general distribution. Checklists developed for similar organizations or purposes can be helpful to ensure that the breadth of risks are covered.

Monitor and control risk responses

Monitor and measure each risk response to ensure that it is performing as expected. This step can include passive monitoring and logging, as well as active testing, to see how a control behaves.

Disclosure threats

Occurs any time unauthorized users access private or confidential information that is stored on a network resource or while it is in transit between network resources. Attackers can use software, called a packet sniffer, to collect and analyze network packets, looking for private or confidential data. Disclosure can also occur when a computer or device containing private or confidential data, such as a database of medical records, is lost or stolen.' Includes sabotage and espionage

Operational Controls

Operational personnel may implement and manage these controls, such as physical security and incident response.

Surveys

Organizations that use surveys send lists of prepared questions to a variety of people from different areas of the organization for input. One such survey technique is the Delphi method, in which responses are anonymized to foster more open dialogue, shuffled, and sent back to participants for comment.

Regular Audits

Perform frequent security audits to identify and rectify vulnerabilities

Scales of qualitative risk analysis

Probability or likelihood: Some things, such as he malfunction of a badge reader, will seldom happen, whereas other things, such as employees calling in sick, will happen often Impact: Some things, such as a workstation that fails to boot up, has minor impact on productivity, whereas an entire production system breaking down will have a major impact.

Factors in evaluating countermeasures

Product costs, implementation costs, compatibility costs, environmental costs, testing costs, productivity impact

Common responses to each negative risk

Reduce, Transfer, Accept, Avoid

Data backup

Regularly backup data to prevent loss in case of a cyberattack

Software and Hardware Measures

Regularly update all software, including security patches. Implement strong firewall and anti-virus solutions

Avoid (Avoidance) (Negative Risk)

Risk avoidance is just that—deciding not to take a risk. A company can discontinue or decide not to enter a line of business if the risk level is too high. With avoidance, management decides that the potential loss to the company exceeds the potential value gained by continuing the risky activity. For example, a company may decide not to open a branch in a country mired in political turmoil.

Mitigation Strategies

Software and Hardware Measures, Training and Policies, Regular Audits, Data Backup

Assess and prioritize risks

Some risks pose a greater possibility of loss or interruption than others. Furthermore, not all risks apply to all businesses in all locations. For example, businesses in North Dakota or South Dakota do not need to worry about hurricanes. Of the risks that are possible, impact will be more or less severe depending on the scenario and location. Therefore, assessing risk is about determining which risks are the most serious ones for a specific location and environment

safeguard

Something built in to or used in a system to address gaps or weaknesses in the controls that could otherwise lead to an exploit.

Plan risk response

Starting with the highest-priority risks, explore potential responses to each one. With direction from the organization's upper management, determine the responses to each risk that provide the best value.

Implement risk responses

Take action to implement the chosen responses to each risk from the previous step

Determine annualized loss expectancy (ALE)

The ALE is the SLE (the loss when an incident happens) times the ARO. The ALE helps an organization identify the overall impact of a risk. For infrequent events, the ALE will be much less than the SLE. SLE x ARO

Opportunity cost (True Downtime cost)

The amount of money a company loses due to either intentional or unintentional downtime

Loss expectancy

The amount of money that is lost as a result of an IT asset failure.

Calculate the asset value (AV)

The first step in risk assessment is to determine all the organization's assets and their value, that is, the importance of each asset to the organization's ability to fulfill its strategic goals. Asset value should consider the replacement value of equipment or systems and include factors such as lost productivity and loss of reputation or customer confidence

Identify risks

The first step to managing overall risk is to identify the individual risks. What could go wrong? What could interrupt operational readiness and threaten the availability of functions and services the organization provides? Answers to that question include fire, flood, earthquake, lightning strike, loss of electricity or other utility, communication interruption, labor strike, pandemic, or transportation unavailability. You must develop scenarios for each risk to assess the threats.

vulnerability window

The gap in time between the announcement of a vulnerability and the application of a patch

Risk management

The process of identifying, assessing, prioritizing, and addressing risks.

Intellectual property

The unique knowledge a business possesses that gives it a competitive advantage over similar companies in similar industries.

Calculate the single loss expectancy (SLE)

The value of a single loss can be calculated using the two preceding factors. AV x EF

Compensating controls

These controls are implemented to address a threat in place that does not have a straightforward risk-mitigating solution.

Technical Controls

These controls comprise computer programs, such as identification systems, or the output of computer programs, such as log files for audit trails.

Deterrent controls

These controls deter an action that could result in a violation. A fine line exists between these controls and preventive controls. Deterrent controls merely attempt to suggest that a subject not take a specific action, whereas preventive controls do not allow the action to occur. Deterrent controls are valuable when a knowledgeable user needs the ability to perform an action that involves risk. A deterrent control would allow the action after a warning, whereas a preventive control would not allow the action at all. In short, the decision to choose between a preventive and a deterrent control is often a balance between utility and security

Detective controls

These controls identify that a threat has landed in a system. An intrusion detection system (IDS) is an example. An IDS can detect attacks on systems, such as port scans that try to gain information about a system. The IDS then logs the activity

Corrective controls

These controls reduce the effects of a threat. When you reload an operating system after it is infected with malware, you are using this control. Forensics and incident response are other examples of corrective controls.

Preventive controls

These controls stop threats from coming into contact with a vulnerability. An example is an intrusion prevention system (IPS). An IPS is an IDS that is configured to actively block an attack. Instead of simply logging the activity, an IPS can change the configuration so that the malicious activity is blocked.

Accept (Acceptance) (Negative Risk)

This approach allows an organization to accept risk and is dependent on the risk appetite of senior management. Even though the organization knows the risk exists, it has decided that the cost of reducing the risk is greater than the loss would be. Self-insuring or using a deductible may be part of this approach. For example, a physician buys malpractice insurance and accepts the residual risk of loss equal to the deductible. The physician might decide to pay an even higher premium to reduce the deductible but could also decide that the higher premium would not be worth the cost because of expectations that claims would rarely be made.

Transfer (Transference/assignment) (Negative Risk)

This approach allows the organization to transfer the risk to another entity, such as with insurance. In this way, an organization "sells" the risk to an insurance company in return for a premium. Risks can also be transferred to insulate an organization from excessive liability. A hotel, for example, engages a separate car-parking corporation to manage its parking lot and in effect transfers the responsibility for losses to the car-parking corporation, making an incident in the parking lot less likely to put the hotel in jeopardy of a lawsuit.

Reduce (Reduction/mitigation) (Negative Risk)

This approach uses various administrative, technical, or physical controls to mitigate or reduce identified risks. For example, adding antivirus software reduces the risk of computer infection

Determine how often a loss is likely to occur every year

This calculation is called the annualized rate of occurrence (ARO), also known as the risk likelihood. The number of incidents per year

Working Groups

This technique focuses on soliciting feedback from a group of individuals selected from a specific work area to help identify risks in that area.

Brainstorming

This technique involves getting unstructured input from members of the organization in a group meeting. The facilitator should encourage all members to offer suggestions without fear of criticism or ridicule

Historical information

Unless an organization is brand new, it will have some historical information at its disposal. This information may be a previously encountered risk identification process or documentation of things that went wrong in the past. Either way, historical information can be valuable to identify current risks.

Domain Threats and targets

User Domain--Employees' own human traits and behavior leads to violations of the acceptable use policy being targeted Workstation Domain--Workstations, laptops, and mobile devices along with their vulnerabilities is the point of entry into the IT infrastructure, and hence why audit trails and log capturing and monitoring are essential LAN Domain--Windows Active Directory/domain controllers, file servers, print servers Networks running the IP are part of the LAN Domain and are a target for ID and authentication attacks. Lan-To-Wan Domain--Public-facing IP devices, including perimeter security with firewalls, IDS/IPS, and remote virtual private network (VPN) terminations Demilitarized zone (DMZ) virtual LANs (VLANs) or dedicated remote connections are typically terminated here. WAN Domain--Public-facing IP devices, including perimeter security with firewalls, IDS/IPS, and remote virtual private network (VPN) terminations Demilitarized zone (DMZ) virtual LANs (VLANs) or dedicated remote connections are typically terminated here. Remote Access--VPNs, multifactor authentication, and remote access for mobile workers and teleworkers are typically supported and targeted. System/Application Domain--Web and application servers, operating systems, and applications Back-end database servers and database tables with sensitive data are the target.

Accept (Acceptance)

When you accept a positive risk, you take no steps to address it because the potential effects of the risk are positive and add value. For example, suppose an organization has purchased a new automated backup and configuration utility that can help deploy new workstations in half the allotted time, but, because the utility is new, it may take some time to learn, meaning it may not help the organization save any time deploying new workstations. It has been determined that, at worst, learning the new utility and using it to manage deployments would take the same amount of time as deploying the workstations manually. However, to realize the positive risk, the deployments would be finished sooner than planned.

Enhance (Enhancement) (Positive Risk)

When you enhance a positive risk, you increase the probability of the positive impact of the event associated with the risk. For example, suppose a company has a contract to deliver software that includes a $20,000 bonus for early delivery. To enhance the positive risk (a delivery date that precedes that of the contract), a subcontractor is offered a $5,000 bonus for finishing ahead of the deadline.

Exploit (Exploitation) (Positive Risk)

When you exploit a positive risk, you take advantage of an opportunity that arises when you respond to that risk. For example, suppose an organization developed training materials for use to help address a specific risk. You might exploit the risk by packaging and marketing those training materials to other organizations.

Share (Sharing) (Positive Risk)

When you share a positive risk, you use a third party to help capture the opportunity associated with that risk. For example, banding with another organization to purchase a group of workstation licenses enables both organizations to realize a substantial discount due to the size of the combined order (in this case, the risk is that the license cost may change).

event

a measurable occurrence that has an impact on the business, either having little effect or perhaps escalating into an incident

Disaster Recovery Plan (DRP)

addresses situations that damage or destroy necessary parts of the supporting IT infrastructure. Make sure your systems and services quickly become available to users after an outage and that you recover any lost or damaged data. However, you also play a role in making sure you handle the recovery process correctly.

Quantitative Risk Assessment

an approach in which the cost or value of the identified risk and its financial impact are examined. a financial business decision can be made in alignment with a risk transfer strategy (e.g., buying more insurance coverage). This type of risk assessment is easier to automate and more objective than a qualitative analysis in that it attempts to describe risk in financial terms and put a dollar value on each risk. One drawback to this approach, though, is that many risks have difficult-to-measure values, such as brand reputation and the availability of countermeasures or security controls, for which exact numbers can be difficult to determine, especially the cost of the impact of future events

Qualitative risk assessment

an approach in which the risk impact is examined by assigning a rating for each identified risk (e.g., critical, major, or minor or high, medium, or low). When performing a qualitative risk assessment, the assessor must examine both the risk impact and the likelihood of occurrence. Impact is the degree of effect a realized threat would pose and is often expressed from low (insignificant) to high (catastrophic). Qualitative risk assessments can be fairly subjective, but they do help determine the most critical risks. This type of assessment requires diverse input from people who work in different departments, which allows the business units and technical experts to understand the ripple effects of an event on other departments or operations and encourages the use of relative terms, for example, asking which risks are worse than others.

Pharming

another type of attack that seeks to obtain personal or private financial information through domain spoofing but does not use messages to trick victims into visiting spoofed websites that appear legitimate. Instead, pharming "poisons" a domain name on the domain name server (DNS), a process known as DNS poisoning. The result is that, when users enter the poisoned server's web address into their address bar, it navigates them to the attacker's site. The user's browser still shows the correct website, which makes pharming difficult to detect and therefore more serious. Where phishing attempts to scam people one at a time with an email or instant message, pharming enables scammers to target large groups of people at one time through domain spoofing.

incident

any event that either violates or threatens to violate a company's security policy and that justifies a countermeasure; for example, employee warehouse theft is an incident

vulnerability

any exposure that could allow a threat to be realized. Some vulnerabilities are weaknesses, such as a software bug, and some are just side effects of other actions, such as when employees use their personally owned smartphones to access corporate email or the corporate network

Acceptable Range of Risk/Residual Risk

determines how activities and countermeasures are defined. The upper boundary is the risk impact where the cost would be too great for the organization to bear. The lower boundary shows the increased cost of the countermeasures to handle the residual risk. The goal of risk management is to stay inside the acceptable range

Business Impact Analysis (BIA)

identifies your organization's most important business functions and how risks could impact each one.

Purpose of risk management

identify possible problems before something bad happens It's important to identify risks: 1. Before they lead to an incident 2.In time to enable a plan and begin risk-handling activities (controls and countermeasures) 3.On a continuous basis across the life of the product, system, or project

Calculate the exposure factor (EF)

represents the percentage of the asset value that would be lost if an incident were to occur.

Threat

something bad that might happen to an organization. A threat could be a tornado hitting a data center or an attacker exfiltrating and leaking (perhaps for profit) sensitive data.

Impact

the amount of risk or harm caused by a threat or vulnerability that is exploited by a perpetrator. For example, if malware or malicious software infects a system, the impact could affect all the data on the system, as in the case of a cryptolocker, which encrypts production data.

Phreaking

the art of exploiting bugs and glitches that exist in the telephone system.

Risk

the likelihood that something bad will happen. Most risks lead to possible damage or negative results that could impact an organization. Not all risks are inherently bad; some risks can lead to positive results. The extent of damage (or even positive effect) from a threat determines the level of risk

Residual risk

the risk that remains after countermeasures and controls have been deployed Equation: Risk - Mitigating Controls

Management Controls

used to manage the entire risk process. For example, reviewing security controls and developing and maintaining the overall security plan are management controls.

Alteration threats

violates information integrity. This type of attack compromises a system by making unauthorized changes to data, either intentionally or unintentionally. These changes might occur while the data is stored on a network resource or while it is moving between two resources. Intentional changes are usually malicious, whereas unintentional changes are usually accidental. People can, and often do, make mistakes that affect the integrity of computer and network resources. Even so, unintentional changes still create security problems.